Exposure can be controlled by managing what sensitive properties are on the RODC

Windows Server 2008 only

Complex control of updates like DDNS

Cannot limit users and groups visible

ILM

Simple firewall setup

No inbound firewall rules

No ILM license if you use IIFP (Enterprise Edition is required). See more below.

Single place of management in the internal AD. Everything is pushed to DMZ including password changes. Helpdesk does not need access to DMZ and not even special procedures for changing properties.

Full control of what object that are visible in DMZ

No leak of other objects (trust cannot be queried)

SSO or at least same password

Requires an extra infrastructure component

SQL license (unless existing can be used)

May not have full SSO to all services (re-enter password)

The seems fine, you say. I know how to do the other stuff, how complex is it to implement the ILM solution? Well, with ILM 2007 you have to create at least some code or get the code from someone who have made it (like Inceptio). But besides this, the rest is standard components. A very rough plan looks like this -

Create an internal AD management agent. Specify it as password source and the DMZ AD Management Agent as target

Create a management agent that can figure out what objects should be replicated to DMZ (use a group membership, naming convention or some other property). Let this populate an expectedDN property. If the logic is simple, it could be done in an MVExtension. In the solution I have made, I have done it using attribute-value-property files and PowerShell code.

Flow the properties you want to keep in sync from the internal AD and export them to the DMZ AD

With Forefront Identity Manager (FIM) 2010, you should be able to get rid of the coding part, making the solution more attractive. When it comes to IIFP, that is not supported anymore. Microsoft removed the download at some time but made it available again. From my sources at Microsoft, no IIFP version of FIM will be available, so you have to buy it.